I use andOTP on phone and OTPClient on PC (linux), which has option to import database from andOTP. So even if I lost phone and PC, I could still access databse from my external drive (encrypted)
I used to use AndOTP, it generally worked but the UX was subpar and it lacked certain quality of life features.
I recently switched to Aegis Authenticator and I highly recommend it. It looks better, it is easier to use, offers better account management features and allows biometric (fingerprint) fallback/authentication.
One issue with Aegis is that you have to sync the configuration manually with Syncthing, but since I already use Syncthing, this wasn’t a huge hassle.
If you store your OATH-TOTP secret key and password together in the same database, then you don’t get two factors but one.
There are a number of security benefits to using TOTP (regardless of where you store the secrets, in a password manager or otherwise) compared to not using it at all.
- TOTP secrets are unguessable. Unlike passwords, whose strength is determined by the user, TOTP secrets are determined by the server and if implemented correctly are long random strings that cannot be obtained through guesswork (brute forcing, etc).
- TOTP secrets are never transmitted during authentication. Even if there is a sophisticated MITM on your network that is able to intercept HTTPS traffic, TOTP secrets are never transmitted across the network after you originally receive them.
- TOTP secrets are unique. You’ll get a new one for each site you visit no matter what, whereas with typical password use most users end up reusing the same passwords. If you’re using a password manager correctly this is less of a big deal, however.
So it depends on your threat model. In theory storing your TOTP passwords in your password manager decreases your security a bit, because now an attacker only needs to compromise your password manager. But if you make that difficult enough it isn’t really an issue.
Two-factor isn’t as important for security as it’s cracked up to be, I’d go as far as to say it’s the least important benefit that TOTP gives users. The benefits of TOTP are significant even if you don’t store them in a separate location.
KeePassXC TOTP best, I manage my own TOTP
I never mentioned you should store everything on one machine.
I for example have a small laptop from which i removed the networkcard, and put my totp database on it.